E-filing Tax Fraud

An audit released this week by Internet security nonprofit the Online Trust Alliance found that 46 percent, or 6 out of 13 tax software websites in an IRS program, failed cybersecurity protocols.

The websites are part of IRS Free File program, which lets anyone who made under $62,000 in 2015 file taxes electronically for free. Seventy percent of American taxpayers can participate in the program, which has been around since 2003.

Some of the websites had issues with lack of email authentication, according to the OTA, which lets cyber criminals send out phishing emails, fake emails purporting to be from a company. Other sites had vulnerabilities that could lead to personal information being stolen. The report was sponsored by cybersecurity companies Agari, DigiCert and Symantec.

In order to participate in the Free File Program, taxpayers use one of 13 third-party tax software websites to submit their taxes electronically. These websites are all members of the Free File Alliance, a nonprofit coalition of the tax software companies. For those with higher incomes, these companies also offer more advanced tax preparation software and services for a fee.

Tax scams surge

The websites that made the OTA’s honor roll, which means they scored at least 80 percent on each section of the audit, are well-known tax preparers like Intuit’s TurboTax and H&R Block, as well as eSmart Tax, exTaxReturn.com, Free Tax USA, TaxAct and TaxSlayer.

The Free File Alliance, which represents the 13 websites that don’t charge filers, said its software “meets the highest standards of security, privacy and support.”

In a statement emailed to CNBC, Tim Hugo, executive director of the Free File Alliance said, “All Free File companies are evaluated and tested each year to ensure that they meet IRS standards addressing every aspect of security and privacy.”

“Our members, working with the IRS, will carefully examine this report and take its recommendations under consideration in our continued efforts to ensure that Free File offers the industry’s most innovative and secure tax software,” he said.

The OTA audit comes as tax scams are on the rise, yet Americans are surprisingly nonchalant about whether they can become victims of fraud. The IRS reported that tax-related phishing emails and malware have surged 400 percent this tax season. In many instances, cybercriminals send emails, text messages and make calls purporting to be the IRS, which trick filers into sending money or revealing personal information.

According to an independent survey by IDT911, a data security firm, some 63 percent of U.S. taxpayers polled believe that tax fraud “could never happen to me” — and aren’t that concerned by the prospect. The study also found that nearly 20 percent of U.S. filers haven’t ensured their wireless networks are secure when filing online.

“The sophistication of cybercriminals is a lot more advanced than a few years ago. It’s hard for the average consumer to tell [if a website or email is legitimate],” said Jason Sabin, chief security officer at DigiCert, a technology security firm. He said that filing firms should up their standards in the face of widespread chicanery.

“This is not like school. Everyone can and should be on honor roll,” Sabin said in a phone interview.

To test the websites, the OTA scanned them using commonly available tools, the same ones hackers may use.

Some e-file websites had vulnerabilities that would allow a cyber criminal to watch as users type in personal information. In addition, the OTA found vulnerabilities that would allow criminals to hack the websites and gain personal information, according to the OTA’s Spiezle.

“Sites that are collecting what I’d say are the biggest, most personal information for identity theft are not following industry standards,” said Spiezle.

Roxane Divol, a senior vice president and general manager at Symantec called the results not particularly surprising. “The reality is only 3 percent of all websites are encrypted.”

In response to the audit, an IRS spokesman told CNBC in an email that the agency “is committed to working with its partners to improve security protections for taxpayers and combating stolen identity refund fraud. … As the report rightly notes, the areas of security and privacy are evolving daily.

The IRS added that “rather than prescribe federal regulations that might be quickly outdated, the IRS works with the industry through the Security Summit Initiative to encourage tougher standards. For example, because of the cooperative efforts of the Security Summit, the software industry agreed to stronger password procedures for 2016.”

How to protect yourself

To protect personal data when e-filing taxes, experts suggest users look for clues that the website you are using is encrypted. Most browsers display either green in the browser bar, or a closed lock symbol, that shows users the site is secure.

Experts also suggest you file your taxes as soon as possible. This decreases the ability of cyber criminals to file in your name.

Finally, be wary of any emails, text messages or phone calls from the IRS. Even though cybercriminals can spoof, or make the email address or phone number seem like it’s the government, the IRS will not call or email you. Instead, they use traditional mail.

Are you a victim of fraud or money scam? Share your story with us on the Money Credit and YouFacebook page!